diff --git a/homeassistant/components/emulated_hue.py b/homeassistant/components/emulated_hue.py index 667a73c6a16..ad89e001df0 100644 --- a/homeassistant/components/emulated_hue.py +++ b/homeassistant/components/emulated_hue.py @@ -76,6 +76,7 @@ def setup(hass, yaml_config): ssl_certificate=None, ssl_key=None, cors_origins=[], + use_x_forwarded_for=False, trusted_networks=[] ) diff --git a/homeassistant/components/http.py b/homeassistant/components/http.py index 5886693c64f..fabff7add53 100644 --- a/homeassistant/components/http.py +++ b/homeassistant/components/http.py @@ -28,7 +28,7 @@ from homeassistant import util from homeassistant.const import ( SERVER_PORT, HTTP_HEADER_HA_AUTH, # HTTP_HEADER_CACHE_CONTROL, CONTENT_TYPE_JSON, ALLOWED_CORS_HEADERS, EVENT_HOMEASSISTANT_STOP, - EVENT_HOMEASSISTANT_START) + EVENT_HOMEASSISTANT_START, HTTP_HEADER_X_FORWARDED_FOR) import homeassistant.helpers.config_validation as cv from homeassistant.components import persistent_notification @@ -42,6 +42,7 @@ CONF_DEVELOPMENT = 'development' CONF_SSL_CERTIFICATE = 'ssl_certificate' CONF_SSL_KEY = 'ssl_key' CONF_CORS_ORIGINS = 'cors_allowed_origins' +CONF_USE_X_FORWARDED_FOR = 'use_x_forwarded_for' CONF_TRUSTED_NETWORKS = 'trusted_networks' DATA_API_PASSWORD = 'api_password' @@ -82,6 +83,7 @@ CONFIG_SCHEMA = vol.Schema({ vol.Optional(CONF_SSL_CERTIFICATE): cv.isfile, vol.Optional(CONF_SSL_KEY): cv.isfile, vol.Optional(CONF_CORS_ORIGINS): vol.All(cv.ensure_list, [cv.string]), + vol.Optional(CONF_USE_X_FORWARDED_FOR, default=False): cv.boolean, vol.Optional(CONF_TRUSTED_NETWORKS): vol.All(cv.ensure_list, [ip_network]) }), @@ -125,6 +127,7 @@ def setup(hass, config): ssl_certificate = conf.get(CONF_SSL_CERTIFICATE) ssl_key = conf.get(CONF_SSL_KEY) cors_origins = conf.get(CONF_CORS_ORIGINS, []) + use_x_forwarded_for = conf.get(CONF_USE_X_FORWARDED_FOR, False) trusted_networks = [ ip_network(trusted_network) for trusted_network in conf.get(CONF_TRUSTED_NETWORKS, [])] @@ -138,6 +141,7 @@ def setup(hass, config): ssl_certificate=ssl_certificate, ssl_key=ssl_key, cors_origins=cors_origins, + use_x_forwarded_for=use_x_forwarded_for, trusted_networks=trusted_networks ) @@ -248,7 +252,7 @@ class HomeAssistantWSGI(object): def __init__(self, hass, development, api_password, ssl_certificate, ssl_key, server_host, server_port, cors_origins, - trusted_networks): + use_x_forwarded_for, trusted_networks): """Initialize the WSGI Home Assistant server.""" import aiohttp_cors @@ -260,6 +264,7 @@ class HomeAssistantWSGI(object): self.ssl_key = ssl_key self.server_host = server_host self.server_port = server_port + self.use_x_forwarded_for = use_x_forwarded_for self.trusted_networks = trusted_networks self.event_forwarder = None self._handler = None @@ -366,11 +371,15 @@ class HomeAssistantWSGI(object): yield from self._handler.finish_connections(60.0) yield from self.app.cleanup() - @staticmethod - def get_real_ip(request): + def get_real_ip(self, request): """Return the clients correct ip address, even in proxied setups.""" - peername = request.transport.get_extra_info('peername') - return peername[0] if peername is not None else None + if self.use_x_forwarded_for \ + and HTTP_HEADER_X_FORWARDED_FOR in request.headers: + return request.headers.get( + HTTP_HEADER_X_FORWARDED_FOR).split(',')[0] + else: + peername = request.transport.get_extra_info('peername') + return peername[0] if peername is not None else None def is_trusted_ip(self, remote_addr): """Match an ip address against trusted CIDR networks.""" @@ -452,7 +461,7 @@ def request_handler_factory(view, handler): @asyncio.coroutine def handle(request): """Handle incoming request.""" - remote_addr = HomeAssistantWSGI.get_real_ip(request) + remote_addr = view.hass.http.get_real_ip(request) # Auth code verbose on purpose authenticated = False diff --git a/homeassistant/const.py b/homeassistant/const.py index a25c73abaeb..baf0c6519c7 100644 --- a/homeassistant/const.py +++ b/homeassistant/const.py @@ -360,6 +360,7 @@ HTTP_HEADER_CONTENT_LENGTH = 'Content-Length' HTTP_HEADER_CACHE_CONTROL = 'Cache-Control' HTTP_HEADER_EXPIRES = 'Expires' HTTP_HEADER_ORIGIN = 'Origin' +HTTP_HEADER_X_FORWARDED_FOR = 'X-Forwarded-For' HTTP_HEADER_X_REQUESTED_WITH = 'X-Requested-With' HTTP_HEADER_ACCEPT = 'Accept' HTTP_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN = 'Access-Control-Allow-Origin' diff --git a/tests/components/test_http.py b/tests/components/test_http.py index 42a0498ae60..28ded4d6b44 100644 --- a/tests/components/test_http.py +++ b/tests/components/test_http.py @@ -22,6 +22,10 @@ HA_HEADERS = { # Don't add 127.0.0.1/::1 as trusted, as it may interfere with other test cases TRUSTED_NETWORKS = ['192.0.2.0/24', '2001:DB8:ABCD::/48', '100.64.0.1', 'FD01:DB8::1'] +TRUSTED_ADDRESSES = ['100.64.0.1', '192.0.2.100', 'FD01:DB8::1', + '2001:DB8:ABCD::1'] +UNTRUSTED_ADDRESSES = ['198.51.100.1', '2001:DB8:FA1::1', '127.0.0.1', '::1'] + CORS_ORIGINS = [HTTP_BASE_URL, HTTP_BASE] @@ -85,10 +89,19 @@ class TestHttp: assert req.status_code == 401 + def test_access_denied_with_x_forwarded_for(self, caplog): + """Test access denied through the X-Forwarded-For http header.""" + hass.http.use_x_forwarded_for = True + for remote_addr in UNTRUSTED_ADDRESSES: + req = requests.get(_url(const.URL_API), headers={ + const.HTTP_HEADER_X_FORWARDED_FOR: remote_addr}) + + assert req.status_code == 401, \ + "{} shouldn't be trusted".format(remote_addr) + def test_access_denied_with_untrusted_ip(self, caplog): """Test access with an untrusted ip address.""" - for remote_addr in ['198.51.100.1', '2001:DB8:FA1::1', '127.0.0.1', - '::1']: + for remote_addr in UNTRUSTED_ADDRESSES: with patch('homeassistant.components.http.' 'HomeAssistantWSGI.get_real_ip', return_value=remote_addr): @@ -138,10 +151,19 @@ class TestHttp: # assert const.URL_API in logs assert API_PASSWORD not in logs - def test_access_with_trusted_ip(self, caplog): + def test_access_granted_with_x_forwarded_for(self, caplog): + """Test access denied through the X-Forwarded-For http header.""" + hass.http.use_x_forwarded_for = True + for remote_addr in TRUSTED_ADDRESSES: + req = requests.get(_url(const.URL_API), headers={ + const.HTTP_HEADER_X_FORWARDED_FOR: remote_addr}) + + assert req.status_code == 200, \ + "{} should be trusted".format(remote_addr) + + def test_access_granted_with_trusted_ip(self, caplog): """Test access with trusted addresses.""" - for remote_addr in ['100.64.0.1', '192.0.2.100', 'FD01:DB8::1', - '2001:DB8:ABCD::1']: + for remote_addr in TRUSTED_ADDRESSES: with patch('homeassistant.components.http.' 'HomeAssistantWSGI.get_real_ip', return_value=remote_addr): diff --git a/tests/scripts/test_check_config.py b/tests/scripts/test_check_config.py index f0ef9efb2d1..e709d4693c7 100644 --- a/tests/scripts/test_check_config.py +++ b/tests/scripts/test_check_config.py @@ -165,7 +165,8 @@ class TestCheckConfig(unittest.TestCase): self.assertDictEqual({ 'components': {'http': {'api_password': 'abc123', - 'server_port': 8123}}, + 'server_port': 8123, + 'use_x_forwarded_for': False}}, 'except': {}, 'secret_cache': {secrets_path: {'http_pw': 'abc123'}}, 'secrets': {'http_pw': 'abc123'},